Skip to content
This repository has been archived by the owner on Jan 24, 2019. It is now read-only.

Consider using password strength test instead of specific rules #178

Open
k88hudson opened this issue Aug 31, 2015 · 5 comments
Open

Consider using password strength test instead of specific rules #178

k88hudson opened this issue Aug 31, 2015 · 5 comments

Comments

@k88hudson
Copy link
Contributor

I was looking around validation stuff the other day and found https://github.com/dropbox/zxcvbn, which uses a bunch of rules that get converted into a generic indicator of password strength rather than a single rule set. The output looks like this:

result.entropy            # bits

result.crack_time         # estimation of actual crack time, in seconds.

result.crack_time_display # same crack time, as a friendlier string:
                          # "instant", "6 minutes", "centuries", etc.

result.score              # [0,1,2,3,4] if crack time is less than
                          # [10**2, 10**4, 10**6, 10**8, Infinity].
                          # (useful for implementing a strength bar.)

result.match_sequence     # the list of patterns that zxcvbn based the
                          # entropy calculation on.

result.calc_time          # how long it took zxcvbn to calculate an answer,
                          # in milliseconds.

and appears to users like this:

image

It seems like this would be a better user experience for helping people create strong passwords, what do you think?

More info here:
https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/
@jbuck
Copy link
Member

jbuck commented Aug 31, 2015

Yesssssss, this is so much better.

@xmatthewx xmatthewx mentioned this issue Sep 2, 2015
Closed
@matthewsot
Copy link

This would definitely solve the problem I was describing in that issue!

I've thrown together what I think is a working version of it at matthewsot/id.webmaker.org (see https://github.com/matthewsot/id.webmaker.org/commit/62aeb4614add43aaac38b4a9dc9dd60739704046) though I have close to zero experience with React/Node and am not able to test whether it actually works (it shows the strength meter, but I don't have the other parts set up to test if it will let you sign up with the validated password).

I'd really love to see this get implemented in Webmaker, as the current password requirements (IMO) are still far too stringent for a classroom environment. Any idea how much more work it would take to get this (or a similar solution) to the point where it can be used for Webmaker?

@jbuck
Copy link
Member

jbuck commented Sep 14, 2015

@matthewsot Awesome! Could you submit that as a PR so we can review it?

@k88hudson
Copy link
Contributor Author

Awesome @matthewsot !!

@matthewsot matthewsot mentioned this issue Sep 15, 2015
Closed
@matthewsot
Copy link

@jbuck - definitely, submitted: mozilla/id.webmaker.org#388 :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jbuck @matthewsot @k88hudson